Find reachable dependency vulnerabilities | Fluid Attacks Help

Find reachable dependency vulnerabilities

Fluid Attacks' static code scans detect third-party dependencies used in your software and verify whether it is actually using the dependencies' vulnerable functions. Ensuring that detected dependency vulnerabilities are actually reachable by threat actors is possible thanks to Fluid Attacks' Reachability feature.

Know which dependencies have vulnerabilities

Fluid Attacks allows you to understand your software supply chain, identifying the dependencies in your software and indicating for which of them vulnerability advisories have been issued.

If using the platform, this information is shown in the Inherited section, along with details such as the dependency's location in your projects and whether it contains malware.

View used dependencies on the Fluid Attacks platform

This section shows the dependencies with associated advisories as 'Vulnerable' and, importantly, differentiates which are reachable. Regarding the latter, to find out whether the usage of vulnerable dependencies actually constitutes a higher risk of the vulnerability in the advisory being exploited in the context of your application, Fluid Attacks' Reachability analyzes your code verifying that it does use the dependencies' vulnerable functions.

Know reachable dependency vulnerabilities

Leveraging the Reachability feature, Fluid Attacks' scans track down your use of the third-party dependencies' vulnerable functions. If it is confirmed that your software is at risk by using those dependencies, then you get the corresponding vulnerability reports.

If using the platform, every reachable vulnerability is reported
  1. in the Inherited section with the tag Reachable;
  2. in the Injected section within the specific type of vulnerability it represents for your project.
From the Inherited section, to learn where the vulnerability is in your project,
  1. expand the row,
  2. Know where reachable vulnerability is on the Fluid Attacks platform

  3. click on the link under Related Vulnerabilities,

  4. identify the file path and line of code (LoC) related to the vulnerability.
  5. Know reachable vulnerability line of code on the Fluid Attacks platform

From the Injected section, to identify a reachable dependency vulnerability,
  1. select a type of vulnerability,
  2. Select a type with vulnerable dependency on the Fluid Attacks platform

  3. click on a location,
  4. Select vulnerability using dependency on the Fluid Attacks platform

  5. identify whether a CVE ID is mentioned within the vulnerability description in the Details tab.
  6. See CVE in vulnerability description on the Fluid Attacks platform
Moreover, in the Evidence section of the type of vulnerability, you can see a screenshot showing your vulnerable code in context along with the mention of the CVE ID reported for the dependency.

View evidence of reachable vulnerability on the Fluid Attacks platform

Supported CVEs

The following table shows the Common Vulnerabilities and Exposures (CVE) entries for which reachability analysis is currently possible, indicating the corresponding programming language.

Note on total CVEs count
Note: The total CVEs count is the sum of unique CVEs.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.